Quantum-noise randomized data-encryption for WDM fiber-optic networks 
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We demonstrate high-rate randomized data-encryption through optical fibers using the inher- 
ent quantum- measurement noise of coherent states of light. Specifically, we demonstrate 650Mbps 
data encryption through a lOGbps data-bearing, in-line amplified 200km-long line. In our proto- 
col, legitimate users (who share a short secret-key) communicate using an M-ry signal set while 
an attacker (who does not share the secret key) is forced to contend with the fundamental and 
irreducible quantum-measurement noise of coherent states. Implementations of our protocol using 
both polarization-encoded signal sets as well as polarization-insensitive phase-keyed signal sets are 
experimentally and theoretically evaluated. Different from the performance criteria for the cryp- 
tographic objective of key generation (quantum key-generation), one possible set of performance 
criteria for the cryptographic objective of data encryption is established and carefully considered. 
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I. INTRODUCTION 



For more than twenty years, physicists and engineers 
have investigated quantum-mechanical phenomena as 
mechanisms to satisfy certain cryptographic objectives. 
Such objectives include user authentication, bit commit- 
ment, key generation, and recently, data encryption. To 
date, the cryptographic objective most considered in the 
literature has been key generation. In key generation, 
two users, who initially share a small amount of secret 
information, remotely agree on a sequence of bits that is 
both larger than their original shared information and is 
known only to them. The newly generated bits (keys) 
are then used to publicly communicate secret messages 
over classical channels by driving data encrypters like 
the information-theoretically perfect one-time pad or 
more efficient (but less secure) encrypters, such as the 
Advanced Encryption Standard, where security is de- 
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scribed in terms of complexity assumptions 

Several approaches to key generation using quantum 
effects have been proposed and demonstrated. The most 
famous of these protocols, the BB84 protocol and 
the Ekert protocol |^] have enjoyed considerable theo- 
retical consideration as well as experimental implemen- 
tation 0[3,I3- A major technical limitation of the BB84 
(Ekert) protocol is that the achievable key-generation 
rate (more importantly, the rate-distance product) is rel- 
atively low due to the protocol's requirement for single- 
photon (entangled-photon) quantum states. This re- 
quirement is a burden not only in the generation of such 
states, but also in that such states are acutely susceptible 
to loss, are not optically amplifiable (in general), and are 



'Electronic address: cornd orf @ece . northwestern. edul 



difficult to detect at high rates. Furthermore, because the 
received light must be detected at the single-photon level, 
integration of the protocol implementations into today's 
wavelength-division-multiplexed (WDM) fiber-optic in- 
frastructure is problematic because cross-channel isola- 
tion is typically no better than 30dB. 

Recently, we have demonstrated a new quantum cryp- 
tographic scheme, based on Yuen's KCQ approach , in 
which the inherent quantum noise of coherent states of 
light is used to perform the cryptographic service of data 
encryption lllj. Unlike single-photon states, coher- 
ent states (of moderate average-energy level) are easily 
generated, easily detected, and are optically amplifiable, 
networkable, and loss tolerant. Note that key generation 
and data encryption are two different cryptographic ob- 
jectives with different sets of criteria by which to judge 
performance — a direct comparison between the two is not 
appropriate. 

In our scheme, legitimate users extend a short, shared 
secret-key by using a publicity known deterministic func- 
tion. The transmitter uses the extended key to select a 
signal set for each transmitted bit such that the legiti- 
mate receiver, using the same extended key, is able to 
execute a simple binary-decision measurement on each 
bit. An eavesdropper, on the other hand, who does not 
possess the secret key, is subject to an irreducible quan- 
tum uncertainty in each measurement, even with the use 
of ideal detectors. This uncertainty results in randomiza- 
tion of the eavesdropper's observations, thereby realizing 
a true randomized cipher which effectively limits the 
eavesdropper's ability to decipher the transmitted mes- 
sage. This randomization is "free" in that it does not re- 
quire any additional action on the part of the transmitter 
in contrast to other randomized ciphers 0, Q| , where 
active randomization of the signal-set is required by the 
transmitter. Our scheme, running at data-encryption 
rates up to 650Mbps, uses off-the-shelf components and 
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is compatible with today's optical telecommunications 
infrastructure. This paper is organized as follows: in 
section m we outline our quantum- noise protected data- 
encryption protocol (call the ai] protocol), in section Hill 
we address issues of security and performance, and in 
section Hvl we summarize our experimental results. 

II. DATA ENCRYPTION PROTOCOL 

We have implemented two versions of our quantum- 
noise protected data-encryption protocol using dif- 
ferent signal sets — one using polarization states 
(polarization-mode scheme) and the other using phase 
states [l^ (time-mode scheme) . In both implemen- 
tations, the fundamental and irreducible measurement 
uncertainty of coherent states is the key element giving 
security. In the polarization-mode scheme, the two-mode 
coherent states employed are 

= \a),^\ae^'-)y, (1) 
|vl/W) ^ |a),«|ae^(^-+-))„ (2) 

where |a) is a coherent state, 9^ = ttto/M, m g 
{0, 1, 2, (Af — 1)}, M is odd, and the subscripts x and y 
indicate the two orthogonal polarization mode- functions. 
Viewed on the Poincare sphere, these 2M polarization 
states form M bases that uniformly span a great circle 
as shown in Fig. ^top). In the time-mode scheme, the 
single-mode coherent states employed are 

= lae"^-), (3) 
1*1^,)) ^ |ae^(«'"+'^)), (4) 

where again Orn = nm/M, m G {0, 1, 2, (M — 1)}, and 
M is odd. These 2M states form M antipodal-phase 
pairs (bases) that uniformly span the phase circle, as 
shown in Fig. ^bottom). 

In both schemes, the transmitter (Alice) extends an 
s-bit secret key, K, to a (2* — l)-bit pseudo-random 
extended-key, K , using a publicly known s-bit linear 
feedback shift-register j2| (LSFR) of maximal length. 
The extended-key is grouped into continuous disjointed 
r-bit blocks and then passed through an invertible r-bit- 
to-r-bit deterministic mapping function, referred to as 
a "mapper," resulting in running-keys, R, where r = 
Int[log2M] and s 3> r. The mapper, which is publicly 
known, helps to distribute an attacker's measurement 
uncertainty throughout each running-key. Without the 
use of a mapper, an attacker's measurement uncertainty 
would, the majority of the time, obscure just a the least- 
significant bits of each r-bit running-key thereby leaving 
most of the r bits clearly identifiable. Also, note that an 
LFSR is just one of many of functions that the users can 
use to extend K into K'. The reason LFSRs are used 
in these experiments is because they are mathematically 
simple to describe which could be useful when quantify- 
ing the precise level of security provided by arj. 




FIG. 1: Top: M pairs of orthogonal polarization states uni- 
formly span a great circle of the Poincare sphere; Bottom: M 
pairs of antipodal phase states uniformly span a phase circle. 



Depending on the data bit and an instantiation of 
the running-key R, one of the states in Eqs. Q [l|2Jl] 
or ©[Q] is transmitted where m is the decimal repre- 
sentation of R. Specifically, for the polarization-mode 

scheme, if m is even then (0,1) — > {\'^''m),\^m)) and 
if TO is odd then (0,1) (1*^^), |*^^)). This re- 
sults in the logical bit mapping of the polarization states 
on the Poincare sphere to be interleaved 0, 1, 0, 1, as 
shown in Fig. ^top). The time-mode scheme is sim- 
ilarly organized but slightly more complicated in that 
the data bits are defined differentially (differential-phase- 
shift keying, DPSK). Specifically, if to is even, then the 

DPSK mapping is (0,^) ^ j^-^^)), and (0,7r) ^ 

(|*S^),|«'^^)) for TO odd. If we relabel the states cor- 
responding to DPSK phases of "0" and "tt" as n and 
I', respectively, then logical zero is mapped to |vE'm'') 
d^m'')) if the previously transmitted state was from 
the set {I'I'm'')} ({l^m'')}) and logical one is mapped 
to l^'m'') d^m'')) if the previously transmitted state was 
from the set ({|*m')}). This results in the map- 

ping of the symbols on the phase circle to be interleaved 
fi, v, fi, v, as shown in Fig. ^bottom). 

At the receiving end, the intended receiver (Bob) 
uses the same s-bit secret key and LFSR/mapper to 
apply unitary transformations to his received quantum 
states according to the running- keys. These transforma- 
tions correspond to polarization-state rotations for the 
polarization-mode scheme, and phase shifts for the time- 
mode scheme — in either case the transmitted M-iy signal 
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set is reduced to a binary signal-set. The resulting states 
under measurement, depending on the logical bit, are 



l^^'V = \m).®\-m)y, 

for the polarization-mode scheme and 

= \rja), 



(5) 
(6) 



(7) 

(8) 



for the time mode scheme, where rj is the channel trans- 
missivity. For both schemes the states are then demodu- 
lated and differentially detected. Specifically, a fixed 7r/4 
polarization rotation on the states in the polarization- 
mode scheme results in the detected states 



(9) 
(10) 



whereas temporally-asymmetric interferometry in the 
time-mode implementation results in the detected states 



(11) 
(12) 



An important feature to note is that Bob does not re- 
quire high precision in applying decryption transforma- 
tions to a transmitted bit. While the application of a 
slightly incorrect polarization/phase transformation re- 
sults in a larger probability of error for the bit, it does 
not categorically render a bit to be in error. For small 
perturbations to the polarization/phase rotation, the ma- 
jority of the signal energy stays in one of the two detec- 
tion modes. The same applies to Bob's detector noise; 
while an ideal detector allows for optimized performance, 
a noisy detector does not limit Bob's decryption ability 
beyond an increased probability of bit error. 

A high-level block diagram of the at] protocol is pro- 
vided in Fig. 121 Note that some elements of our pro- 
tocol that help to protect the secret key against attack 
have been intentionally omitted from this description for 
the purpose of clarity. These omitted elements are men- 
tioned in the following section and are further described 
in Ref. ^. 



III. SECURITY 

As stated in the introduction, key generation and 
data encryption are different cryptographic objectives 
and, therefore, have different sets of criteria by which 
to evaluate performance. The delineation between key 
generation and data encryption is somewhat confused 
by terminology. Because keys procured by a key- 
generation protocol are usually assumed to drive deter- 
ministic encrypters, the terms "quantum key-generation" 



and "quantum data-encryption" are sometimes used in- 
terchangeably. This easily leads to confusion in that (a) 
there are potential uses for the generated keys beyond 
data encryption, and (b) there are methods of realizing 
quantum-based data-encryption without key generation. 

In quantum key-generation, a necessary (but not suf- 
ficient) condition that must be satisfied is 

i?(X|Y^,K)-i7(X|Y^,K)-iJ(K) >0, (13) 

where X is a classical n-bit random vector describing 
the transmitted bits, Y^ and Y-^ are n-bit vectors de- 
scribing the observations of an attacker (Eve) and Bob, 
respectively; K is an s-bit, previously shared secret be- 
tween Alice and Bob that might become public on com- 
pletion of the protocol, and H{-) is the Shannon entropy 
function. Note that while often omitted in descriptions 
of the BB84 and Ekert protocols, both schemes require 
a secret key K for the purpose of message authentica- 
tion. Also note that the H(K) term in Eq. H13|l may be 
omitted if both a) information about K is never publicly 
announced, and b) K remains secret even when under a 
general attack (as in some of Yuen's KCQ key-generation 
protocols). 

The mathematical definition of if(X|Y), to be read as 
"the uncertainty of X given Y," is given by 



H{X\Y) = -5]p(X = x,Y = y) 
X logp(X = x|Y = y). 



(14) 



which, with application of Bayes' theorem and the Law 
of Total Probability, becomes 

H{X\Y) = -^p(X = x)p(Y = y|X = x) 



X los 



p(X ^ x)p(Y = y|X = x) 
Ex'P(X = x')p(Y = y|X = x') 



(15) 



The conditional probability distribution p(Y|X) is com- 
pletely and uniquely specified by the probability distribu- 
tion of the secret key p(K), the probability distribution of 
the plaintext message p(X), and the encryption function 
that takes X to Y = £'k(X). While £'k(X) is usually 
assumed known to the attacker via the Kerckhoff assump- 
tion, it is important to emphasize that the calculation of 
i/(X|Y) also depends on the probability distributions 
p(K) and p(X) according to Eve. This means that Eve's 
conditional entropy i?(X| Y) may change if Eve's proba- 
bility distribution p(X) changes due to the acquisition of 
some side-information (such as the language of the plain- 
text message). 

For the cryptographic objective of data encryption, be 
it classical or quantum-noise-protected, some relevant 
information-theoretic quantities are: 



i) i/(X|YS,K), 
n) if(X|Y^), 
in) i/(K|YE), 



(16) 
(17) 
(18) 
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FIG. 2; Summary of the quantum-noise protected data encryption protocol. In our experiments, the "pseudo-random key- 
extender" is implemented by a maximal- length LFSR and "r-bit-to-r-bit mapping function" . 



where X is the n-bit transmitted message (plaintext), 
Y-^ and are Bob's and Eve's n-bit observations of 
the encrypted plaintext (ciphertext), and K is the s-bit 
secret key shared by the legitimate users. In words, these 
quantities describe i) the error rate for the legitimate 
users, ii) the secrecy of the data bits when under attack, 
and iii) the secrecy of the secret key when under attack. 

When launched on either the data bits or the se- 
cret key, cryptographic attacks are normally divided 
into two categories, known-plaintext (KPT) attacks and 
ciphertext-only (CTO) attacks. CTO attacks correspond 
to situations where p(X) is uniform, according to the 
attacker. In other words, all 2" possible messages are 
transmitted with equal probability. A KPT attack corre- 
sponds to all situations where p(X) is nonuniform includ- 
ing the totally degenerate deterministic case of chosen- 
plaintext. Some example KPT attacks include knowledge 
of the native language of the message or perhaps some 
statistical knowledge of the message content. While there 
are clearly varying degrees of KPT attacks, a CTO attack 
refers to the specific case of uniform ip(X). 

According to information theory ^qs. (fT7|) and 

(|18|l satisfy the following inequalities: 

i?(X|Y^) < i?(K), (19) 
iJ(K|Y^) < i7(K), (20) 

where Eq. H19|) is known as the Shannon limit |0| which 
is valid when iJ(X|Y^, K) = (our data-encryption pro- 
tocol operates in a regime where iJ(X|Y^,K) = 0|23). 
Note that in 077, contrary to the case for key generation 
[cf. Eq. 1131)], the condition iJ(X|YE, K) > i7(X|Y^, K) 
need not be satisfied. In fact the opposite is normally 
true where an attacker (given the secret key after mea- 
surement) has a lower bit-error rate than the legitimate 
receiver. This is the case when a significant amount of 
loss and/or additive noise exists between the two users 
where it is assumed that the attacker, performing an ad- 
equate quantum measurement, is located near the trans- 
mitter. 

The one-time pad encrypter achieves what Shannon 
called "perfect security" which corresponds to = i?(X) 
in the inequality of Eq. H19|) when s = n. The practical 



problem with the one-time pad is that every data bit to 
be encrypted requires one bit of key. More "efficient," al- 
beit less secure, encrypters operate in the regime where 
s ^ n < 00, thereby allowing short secret-keys to en- 
crypt long messages. A reasonable information-theoretic 
goal of such "imperfect but efficient" encrypters (practi- 
cal encrypters) could be to show 

i7(X|Y^,K) ^ 0, (21) 
iJ(X|Y^) = Ai • iJ(K), (22) 
H{K\Y^) = A2 • H{K), (23) 

where s <C ?t. < 00 and Ai^2 ^ 1- It is extremely impor- 
tant to emphasize that even if Ai, A2 0, there still may 
exist a large complexity-based problem of finding the cor- 
rect X even when given y^, p(X), p(K), and £'k(X) — it 
is in this complexity-based limit in which all of today's 
commercial deterministic encrypters are considered. 

According to the given information-theoretic criteria, 
a goal of practical data encrypters could be to a) drive 
Ai^2 as close to 1 as possible for a reasonably large s while 
still keeping s <ti n < 00; h) attempt to mathematically 
prove Eqs. (|22|) and (|23|l : and c) if conditions (a) and (b) 
cannot be met, insure that the computational (search) 
complexity is high even when Ai^2 • H{K.) = 0. To date, 
no practical data encrypter exists for which Eqs. H22|) 
and H23|l can be rigorously proven, for nontrivial A, when 
under a KPT attack; no significant complexity-based se- 
curity has been proven either. 

Note that the appropriate information-theoretic crite- 
ria by which to quantify the security of a data encrypter 
may be different for different sociological situations. For 
example, satisfying the criteria given in Eqs. H22|l and 
(|23ll (Ai^2 = 1) may yield security in some situations, but 
not in others. A different set of operationally- meaningful 
criteria for the cryptographic objective of data encryp- 
tion, which does not rely on Shannon entropy, has been 
described in Ref. Q . 

Towards the goal of satisfying the cryptographic ob- 
jective of data encryption, according to any reasonable 
information-theory-based criteria, we offer a new ap- 
proach to data-encryption wherein the irreducible uncer- 
tainty inherent in the quantum measurement of coherent 
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states of light is used to perform high-speed randomized 
encryption that does not sacrifice the data rate. In om' 
protocol (section , the logical mappings of the sym- 
bols are interleaved (Fig. While the users (who share 
a short secret-key) are able to make simple binary deci- 
sions on the Af-ry signal set, an attacker (who does not 
share the secret key) is left with an irreducible uncer- 
tainty in her measurements due to the quantum fluctu- 
ations inherent to coherent states of light. Specifically, 
with M and |ap in a particular regime, measurements 
of neighboring states, on either the Poincare sphere or 
the phase circle, overlap and obscure one another. To an 
attacker, this overlap is equivalent to Alice broadcasting 
digital representations of the M-ry signal that are then 
actively randomized over the signal's closest neighbors in 
the signal constellation. By using coherent states with 
a relatively weak amplitude, a similar randomization is 
achieved through quantum-measurement noise which re- 
quires no active effort on the part of the transmitter, 
but still obscures the true identity of the state called for 
by the protocol. Such randomization is realized through 
any quantum measurement including direct detection, 
balanced homodyne/heterodyne detection, and optimal 
quantum-phase detection. 

Given some restrictive assumptions, one can even de- 
scribe the performance of a quantum-mechanically op- 
timal attack — the best attack allowed by quantum me- 
chanics. While the physical structure of such an optimal 
attack may be unknown, quantum mechanics can estab- 
lish bounds on the maximum information rate of an at- 
tacker. For individual attacks on the message where clas- 
sical correlations are ignored, the quantum-mechanically 
optimal attack — known as the optimal positive operator- 
valued measure — corresponds to optimally distinguish- 
ing all of the states mapped to logical one from those 
mapped to logical zero. Figure |2| plots the information 
rate of the optimal positive operator- valued measure as 
a function of |ap and M for the time- and polarization- 
mode implementations where information |l7j is defined 
as 1 Pe log2(-Pe) + (1 - Pe) log2(l - Pe) for a bit-crror 
rate Pe- 

FigureOlalso plots the information rate of the described 
attack when performing an ideal heterodyne measure- 
ment. The performance of this measurement is included 
because it represents the "highest performing" receiver 
structure that an attacker could practically implement 
using today's technology. The difference between the in- 
formation rates of the time- and polarization-mode im- 
plementations, for both the optimal positive operator- 
valued measure and ideal heterodyne attacks, is due to 
the fact that logical bits are defined differentially across 
two modes in the time-mode scheme — a bit is correctly 
determined if and only if two consecutive state measure- 
ments are both correct or both incorrect. It is important 
to remember that both the optimal positive operator- 
valued measure and ideal heterodyne analyses are for a 
very limited attack where Eve does not use her infor- 
mation on the correlations between the running-keys to 



determine the plaintext or secret key — a real attacker 
would presumably use all information at her disposal. 

While the inability to distinguish neighboring states 
plays a role in protecting the secret key against at- 
tacks, additional mechanisms are required to improve 
the secrecy of the secret key. By introducing deliber- 
ate state-randomization at the transmitter, perfect secu- 
rity against CTO attacks on the secret key [i/(K|Y^) = 
i/(K), uniform p(X)] can be assured as well as strongly- 
ideal security against CTO attacks on the message 
[H{'K\Y^) = i?(K), uniform p(X)]. More information 
on deliberate state-randomization is available in Ref. . 
Note that the mapper and deliberate state-randomization 
have not yet been implemented in our published experi- 
mental realizations. 

Physical "trojan horse" attacks can also be launched 
on the message and the secret key by attempting to probe 
Alice's transmitter settings. In such an attack, an eaves- 
dropper would send strong light into Alice's transmitter 
and measure the state of her reflected light. Attacks of 
this type can be passively thwarted by using an optical 
isolator at the output of Alice's transmitter. 

Confusion over the cryptographic service that our pro- 
tocol [a-q) offers as well as how quantum noise is exploited 
in our scheme prompted a criticism to Ref. IToll 
and some of the authors of Ref. have replied |2l| . 
In Ref. I^^, it is claimed that the arj data-encryption 
protocol, operating in a regime where i7(X|Y-^,K) < 
i/(X|Y^,K), already permits key generation. We dis- 
agree with that conclusion. 

IV. EXPERIMENTS 

Using both the polarization- and time-mode imple- 
mentations, we demonstrate high-speed quantum- noise- 
protected data encryption. The primary objective of 
these experiments is to successfully demonstrate quan- 
tum data encryption through a realistic classical-data 
bearing WDM fiber line. A secondary objective is to 
show that the quantum-noise encrypted signal does not 
negatively impact the performance of the classical data- 
bearing channels. The following two subsections sum- 
marize the physical setups as well as the experimental 
results for both implementations. 



A. Polarization-mode implementation 

A description of the polarization-mode experimental 
setup naturally breaks into two parts: the quantum- 
noise-protected data-encryption transmitter/receiver 
pair and the WDM fiber line (which also carries clas- 
sical data traffic) over which the encrypted data trav- 
els. We first describe the transmitter /receiver pair. As 
illustrated in Fig. ^left), a polarization-control-paddle 
(PCP) is adjusted to project the light from a 1550. Inm- 
wavelength distributed-feedback (DFB) laser equally into 
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FIG. 3: Shannon information recovered through individual attacks on the message when launching either the optimal pos- 
itive operator-valued measure or an ideal heterodyne measurement on the time-mode (left) and polarization-mode (right) 
implementations. Plotted as a function of |ap, for several values of M. 



the two polarization modes of Alice's lOGHz-bandwidth 
fiber-coupled LiNbOa phase modulator (PM). Driven by 
the amplified output of a 12-bit digital-to-analog (D-A) 
board, the modulator introduces a relative phase (0 to 
2-K radians) between the two polarization modes. A soft- 
ware LFSR, which is implemented on a personal com- 
puter (PC), yields a running-key that, when combined 
with the data bit, instructs the generation of one of the 
two states described in Eqs. ^ and Due to elec- 
tronic bandwidth limitations of some amplifiers, Manch- 
ester coding is applied on top of the signal set that results 
in a factor of two reduction of the data rate (250Mbps) 
relative to the line rate (500Mbps). Note that in the 
time-mode implementation, described in Sec. IIV Bl such 
Manchester coding is not required due to the use of wider 
bandwidth amplifiers. 

On passing through the lOOkm-long WDM fiber line 
[shown in Fig. 01 right). Crypto, in and Crypto, out], 
the received light is amplified by a home-built erbium- 
doped-fiber amplifier (EDFA) with ~ 30dB of small- 
signal gain and a noise figure very close to the quantum 
limit (NF ~ 3dB). Before passing through Bob's PM, 
the received light is sent through a second PCP to can- 
cel out the unwanted polarization rotation that occurs in 
the lOOkm-long fiber line. While these rotations fluctu- 
ate with a bandwidth on the order of kilohertz, the mag- 
nitude of the fluctuations drops quickly with frequency, 
allowing the use of a manual PCP to track out such un- 
wanted polarization rotations. In future implementations 
Bob's measurements could be used to drive an automated 
feedback control on the PCP. 

The relative phase shift (polarization rotation) intro- 
duced by Bob's modulator is determined by the running- 
key R generated through a software LFSR in Bob's PC 
and applied via the amplified output of a second D-A 
board. After this phase shift has been applied, the rela- 
tive phase between the two polarization modes is or tt, 
corresponding to a or 1 according to the running-key: 



if R is even then (0, tt) (0, 1) and if R is odd then 
(0,7r) (1,0). With use of a fiber-coupled polarization 
beam splitter (FPBS) oriented at tt/A radians with re- 
spect to the modulator's principal axes, the state under 
measurement [Eq. (O or HlU|l ] is direct-detected by using 
two IGHz-bandwidth InGaAs PIN photodiodes operat- 
ing at room temperature, one for each of the two polar- 
ization modes. The resulting photocurrents are amplified 
by a 40dB-gain amplifier, sampled by an analog-to-digital 
(A-D) board, and stored for analysis. The overall sensi- 
tivity of Bob's preamplified receiver is measured to be 
660 photons/bit for 10^^ error probability. 

As shown in Fig. EJright), the lOOkm-long WDM 
line consists of two 40-channel lOOGHz-spacing arrayed- 
waveguide gratings (AWGs), two 50km spools of single- 
mode fiber (Corning, SMF-28), and an in-line EDFA 
with an output isolator. Along with the quantum-noise 
protected 0.25Gbps encrypted-data channel, two lOGbps 
channels of classical data traffic also propagate through 
the described WDM line. Light from two DFB lasers on 
the lOOGHz ITU grid (1546.9nm and 1553. 3nm) is mixed 
on a 3dB coupler, where one output is terminated and 
the other enters a lOGHz-bandwidth fiber-coupled Mach- 
Zender type LiNbOa intensity modulator (IM). The IM 
is driven by an amplified lOGbps pseudo-random bit 
sequence (PRBS) generated by a pattern generator of 
(2^^— 1) period. The PRBS modulated-channels (here- 
after referred to as PRBS channels) then pass through 
an EDFA to compensate for losses before entering, and 
being spectrally separated by AWGl. By introducing ap- 
proximately one meter fiber length difference between the 
separated PRBS channels before combining them into the 
lOOkm-long WDM hue with AWG2, the bit sequences of 
the two channels are shifted by 50 bits. This shift reduces 
temporal correlations between the two PRBS channels, 
thereby more effectively simulating random, real-world 
data traffic. The lOOkm-long WDM line is loss compen- 
sated by an in-line EDFA. The lOdB power loss in the 
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FIG. 4: Left, transmitter/receiver setup: Gl, RF power amplifier; OAl, low-noise EDFA followed by a Bragg-grating filter; 
G2, RF signal amplifier. Right, WDM network setup: OAl, low-noise EDFA; G3, IM driver; 0A2, in-line EDFA followed by 
an optical isolator; OAS, EDFA. 



first 50km spool of fiber (0.2dB/km loss) is compensated 
by lOdB of saturated gain from the in-line EDFA. The 
overall loss of the line is therefore 15dB, where lOdB come 
from the second 50km spool of fiber and the remaining 
5dB from the two AWGs (2.5dB each). 

After propagating through the WDM line the chan- 
nels are separated by AWGS. Either of the two PRBS 
channels is amplified with a 20dB gain EDFA (OAS) and 
the group-velocity-dispersion (GVD) is compensated by 
a — 15S0ps/nm dispersion-compensation module (DCM). 
While the GVD introduced in the WDM line is ap- 
proximately 1700ps/nm, the DCM used is sufficient for 
our demonstration. The amplified, GVD-compcnsated 
PRBS channel is detected using an InGaAs PIN-TIA re- 
ceiver (RCVR) and analyzed for errors by a lOGbps bit- 
error-rate tester (BERT). Bit-error rates for each PRBS 
channel are measured separately using the BERT. 

Figure |3a)(left) shows the optical spectrum of the 
light after AWG2 measured with O.Olnm resolution band- 
width. The launch powers in the quantum channel and 
in each of the PRBS channels are — 25dBm and 2dBm, 
respectively. An eye pattern of the 1546. 9nm PRBS chan- 
nel at launch is shown in Fig. |Sf a) (right). Measuring af- 
ter AWG2 (i.e., at launch), neither PRBS channel showed 
any error in 10 terabits of pseudo-random data commu- 
nicated. Figure ISJb) (left) shows the optical spectrum 
(O.Olnm resolution bandwidth) of the light received af- 
ter the second 50km spool of fiber. This figure clearly 
shows the lOdB loss in signal power of all the channels 
and the accompanying lOdB increase in the amplified- 
spontaneous-emission dominated noise floor. An eye pat- 
tern of the 1546. 9nm PRBS channel, post dispersion com- 
pensation, is shown in Fig. [5Jb) (right). While the effect 
of the residual GVD is clearly visible in the eye pattern, 
the bit-error rate for each of the PRBS channels remains 
nearly "error free" at 5 x 10"". Neither the bit -error 
rates nor the eye patterns of the PRBS channels change 
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FIG. 5: (a): Optical spectrum (left) and eye pattern (right) of 
a PRBS channel at launch [after AWG2 in Fig. fright)], (b): 
Optical spectrum (left) and eye pattern (right) of a PRBS 
channel at the end of the line [before AWGS in Fig. EI right)] . 



when the quantum channel is turned off. 

Figure El shows results of 5000 A-D measurements (one 
of the two detector outputs) of a 9.1Mb bitmap file trans- 
mitted on the encrypted channel from Alice to Bob (top) 
and to Eve (bottom) through the lOOkm-long WDM line 
at 250Mbps data rate. The insets show the respective 
decoded images. In this experiment, actions of Eve are 
physically simulated by Bob starting with an incorrect 
secret-key. Clearly, a real eavesdropper would aim to 
make better measurements by placing herself close to Al- 
ice and implementing a more optimized quantum mea- 
surement. While Fig. does not explicitly demonstrate 
Eve's inability to distinguish logical ones from zeros, it 
does, show that a simple bit decision is impossible. In the 
current setup, the 12-bit D-A conversion allows Alice to 
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FIG. 6: 5-kbit segments of 9.1-Mbit transmissions through 
the WDM link. Insets, the received bit-map images. Top, 
Bob's detection; bottom. Eve's detection. 



generate and transmit 4094 distinct polarization states 
(Af ~ 2047 bases). The numerical calculation used to 
plot Fig. Ofright) then shows that for — 25dBm launch 
power at 250Mbps (500Mbps line rate, jap « 20,000) 
and M = 2047, Eve's maximum obtainable information 
in an individual attack on the message is less than 10" 
bits/bit. 

B. Time- mode implementation 

While technically possible, as demonstrated above, the 
polarization-state alignment required at the receiver by 
the polarization-mode scheme makes it much less attrac- 
tive than a polarization-insensitive version with equiva- 
lent performance. The time-mode implementation is to- 
tally polarization-state insensitive and is therefore much 
more desirable for performing quantum-noise-protected 
data encryption over real-world WDM networks. 

As with the polarization-mode implementation, a de- 
scription of the time-mode experimental setup naturally 
breaks into two parts: the transmitter/receiver pair and 
the WDM fiber line. We first describe the transmit- 
ter/receiver pair. As illustrated in Fig. [Tlleft), — 25dBm 
of power from a 1550.9nm-wavelength DFB laser is pro- 
jected into Alice's lOGHz-bandwidth fiber-coupled PM. 
Driven by the amplified output of a 12-bit D-A board, 
the modulator introduces a relative phase (0 to 27r radi- 
ans) between temporally neighboring symbols. A 4.4-kb 
software LFSR, which is implemented on a PC, yields a 
running- key that, when combined with the data bit, in- 
structs the generation of one of the two states described 
in Eqs. Q and Q at a 650Mbps data rate. Before leav- 
ing the transmitter, the encrypted signal is amplified with 



an EDFA (OAl) to a saturated output power of 2dBm. 

On passing through the 200km-long WDM line [shown 
in Fig. EJright), Crypto, in and Crypto, out), the 
received light is amplified by another EDFA (0A2) 
with ~ 30dB of small-signal gain and a noise figure 
very close to the quantum limit (NF ~ 3dB). The 
light then passes through a pair of lOGHz-bandwidth 
polarization-maintaining-fiber-coupled PMs oriented or- 
thogonally with respect to each other so that the x (y) 
polarization mode of the first modulator projects onto 
the y (x) mode of the second modulator. The effect of 
such concatenation is to apply an optical phase modula- 
tion that is independent of the polarization state of the 
incoming light. The relative phase shift introduced by 
Bob's modulator pair is determined by the running-key 
R generated through a software LFSR in Bob's PC and 
applied via the amplified output of a second D-A board. 
After this phase shift has been applied, the relative phase 
between temporally neighboring states is or tt (differ- 
ential phase-shift keying) , differentially corresponding to 
a or 1. 

The decrypted signal then passes through a fiber- 
coupled optical circulator and into a temporally asym- 
metric Michelson interferometer with one bit-period 
round-trip path-length delay between the two arms. Use 
of Faraday mirrors (FM) in the Michelson interferome- 
ter ensures good polarization-state overlap at the output, 
yielding high visibility interference. The interferometer 
is path length stabilized with a PZT and dither-lock cir- 
cuit. 

Light from the two outputs of the interferometer is 
direct-detected by using two room temperature IGHz- 
bandwidth InGaAs PIN photodiodes set up in a dif- 
ference photocurrent configuration. The resulting pho- 
tocurrent is either sampled by an A-D board and stored 
for analysis, or put onto a communications signal ana- 
lyzer (CSA) to observe eye patterns. 

As shown in Fig. [7f right), the 200km-long WDM Hue 
consists of two lOOGHz-spacing AWGs, two 100km spools 
of single-mode fiber (Corning, SMF-28) and an in-line 
EDFA with an input isolator. Along with the quantum- 
noise protected 650Mbps encrypted-data channel, two 
lOGbps channels of classical data traffic also propagate 
through the first 100km of the described WDM line. 
Light from two DFB lasers with wavelengths on the 
lOOGHz ITU grid (1550. Inm and 1551. 7nm) is mixed 
on a 3dB coupler, where one output is terminated and 
the other enters a lOGHz-bandwidth fiber-coupled Mach- 
Zender type LiNbOa intensity modulator (IM) . The IM is 
driven by an amplified lOGbps PRBS generated by a bit- 
error-rate tester (BERT) of (2^1-1) period. The PRBS- 
modulated channels (hereafter referred to as PRBS chan- 
nels) then pass through an EDFA to compensate for 
losses before entering and being spectrally separated 
by AWGl. Partial decorrelation of the PRBS chan- 
nels is achieved by introducing approximately one me- 
ter fiber length difference (~ 50 bits) between the chan- 
nels before combining them into the WDM line with 
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FIG. 7: Left: Transmitter/receiver setup. Gl, RF power amplifier; OA2, low-noise EDFA followed by a 25GHz-passband 
Bragg-grating filter; PMF, polarization-maintaining fiber; Giro., optical circulator. Right: 200km in-line amplified line. IM, 
lOGbps intensity modulator; DGM, dispersion-compensation module; RGVR, lOGbps InGaAs PIN-TIA optical receiver; G2, 
lOGbps modulator driver 



AWG2. On launch (i.e., after AWG2), the optical power 
is — 2dBm/channel for all three channels. 

After propagating through the first 100km of fiber 
(20dB of loss) and the in-line EDFA (23dB of gain), 
the channels are separated by AWG3 (3dB of loss). Ei- 
ther of the two PRBS channels is amplified with a lOdB 
gain EDFA and the GVD is partially compensated by 
a — 1530ps/nm DCM. The amplified, GVD-compensated 
PRBS channel is detected using an InGaAs PIN-TIA re- 
ceiver (RCVR) and analyzed for errors by the BERT. 
Note that the reason that the PRBS channels do not 
propagate through the entire 200km line is because our 
DCM only provides enough compensation for 100km of 
fiber. Figure |SIa) (left) shows the optical spectrum of 
the light measured after AWG2 with O.Olnm resolution 
bandwidth. The launch power in the quantum chan- 
nel and in each of the PRBS channels is — l.SdBm. An 
eye pattern of the 1550. Inm PRBS channel at launch is 
shown in Fig.|SJa)(right). Measuring after AWG2 (i.e., at 
launch), neither PRBS channel showed any errors in 10 
terabits of pseudo-random data communicated. Figure 
|HIb)(left) shows the optical spectrum (O.Olnm resolution 
bandwidth) of the light received after the in-line ampli- 
fier (100km of fiber). An eye pattern of the 1550. Inm 
PRBS channel, post dispersion compensation, is shown in 
Fig- mb) (right). As in the polarization-mode implemen- 
tation, the bit-error rate for each of the PRBS channels 
remained nearly "error free" at 5 x 10^^^ despite the in- 
complete GVD compensation. Neither the bit-error rates 
nor the eye patterns of the PRBS channels changed when 
the quantum channel was turned off. 

Figurel^shows the eye patterns for encrypted 650Mbps 
(2^^ — l)-bit-PRBS and IMb-bitmap-file transmissions 
(insets) as measured by Bob (top) and Eve (bottom). 
In these experiments, Bob is located at the end of the 
200km-long line and Eve is located at the transmitter 
(Alice). Eve's actions are physically simulated by using 
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FIG. 8: (a): Optical spectrum (left) and eye pattern of a 
PRBS channel (right) at launch [after AWG2 in Fig. |7|; right)], 
(b): Optical spectrum (left) and eye pattern of a PRBS 
channel (right) after in-line amplification [before AWG3 in 
Fig.EIright)]. 



Bob's hardware, but starting with an incorrect secret- 
key. While Fig. (^bottom) does not explicitly demon- 
strate Eve's inability to distinguish neighboring coherent 
states on the phase circle, it does, however, show that a 
simple bit decision is impossible. The Q-factor for Bob's 
eye pattern, as measured on the CSA, was 12.3. 

In all of the time-mode implementation experiments, 
the coherent states are transmitted using non-return-to- 
zero (NRZ) format. The return-to-zero-like appearance 
of Bob's eye pattern is due to non-zero rise time of the 
optical phase modulation. This phenomena is also ob- 
served in traditional NRZ-DPSK systems. The apparent 
banding of Eve's measurements at the top and bottom 
of the eye pattern is due to the sinusoidal transfer func- 
tion of the temporally asymmetric interferometer used for 
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FIG. 9: Top: Eye pattern and histogram of Bob's decrypted 
signal after 200km propagation in the WDM line. Bottom: 
Eye pattern and histogram of Eve's measurements at the 
transmitter. Insets, received 1Mb bitmap file transmissions. 

demodulation. Despite this apparent banding, the eaves- 
dropper's probability of error is equal for every transmit- 
ted bit. If an eavesdropper were to, say, perform optical 
heterodyne detection, a uniform distribution of phases 
would be observed. 

In the current setup, the 12-bit D-A conversion al- 
lows Alice to generate and transmit 4094 distinct phase 
states (M = 2047 bases). Although we simulate an eaves- 
dropper by placing Bob's equipment at the transmitter, 
a real eavesdropper would aim to make the best mea- 
surements allowed by quantum mechanics (just as in the 
polarization- mode implementation). The numerical cal- 
culation used to plot Fig.Ufleft) shows that for — 25dBm 
signal power at 650Mbps 40,000 photons/bit) with 
M = 2047, Eve's maximum obtainable information in 
an individual attack on the message would be less than 
10-15 bits/bit. 



V. DISCUSSION AND SUMMARY 

In summary, we have developed schemes towards 
the cryptographic objective of practical data encryp- 
tion by using the fundamental and irreducible quantum- 
measurement uncertainty of coherent states. Unlike cur- 
rently deployed deterministic encrypters whose security 
relies solely on unproven computational complexity, we 
offer a new quantum-mechanical vehicle to quantifiable 
information-theoretic security through high-speed ran- 
domized encryption. Furthermore, we have clearly speci- 
fied a set of security criteria for the cryptographic service 
of data encryption (which are different from those for 
key generation) and considered some optimal quantum 
attacks on our scheme. While we have yet to explicitly 
determine the level of information-theoretic security pro- 
vided by our scheme under a general attack (which may 
correspond to finding Ai, A2), our scheme does provide a 
physical layer of quantum-noise randomization that can 
only enhance the security of a message already encrypted 
with a traditional deterministic cipher. 

Experimentally, we have implemented and demon- 
strated two high-speed versions of the ar] data-encryption 
protocol using both polarization and time modes, and 
evaluated the schemes' performances through active 
WDM lines. Whereas the polarization-mode experiments 
have demonstrated the efficacy of the data-encryption 
protocol, the polarization independent time-mode exper- 
iments have demonstrated a technology that is "drop-in" 
compatible with the existing optical telecommunications 
infrastructure. 
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